Wednesday, April 3, 2013

Mastering The Linux Shell - Getting Permission

Under
Linux, access to files and directories is controlled by a system of
permissions. Those permissions define who can see a file, whether they
can modify it in any way, and in the case of some files, whether the
commands within that file (or the file itself) can be executed. By
executed, we mean "can we run that program?". Let's take a look at
permissions and how you you can work with them.
Your introduction is one of the first commands I told you about, "ls", the program you use to list files. When we use the 'ls -l' command, we get our first look at Linux security, this time at the file (or directory) level. Here is an example of a long 'ls' listing.

The
first entry under the total column shows a directory (we'll talk about
the next nine characters in a moment). The first character is a 'd' which indicates a directory. Right at the end of each line, you'll find the directory or file name - in my example, they are presents, wishlist, and griflong. Since the first character in the permissions field is a "d", then presents is a directory.
On to those other nine characters (characters 2 thru 10). These indicate permissions for the user or owner of the file (first three), the group (second group of three), and others
or everyone else (last three). In line one, user root has read, write,
and execute permission while the system group has only read and
execute. The three dashes at the end imply that no one else has any
permissions. The next two files are owned by the user called "zonthar".
So remember user, group, and other (ugo). You will find it useful
later when we talk about changing file and directory permissions.

More on File Permissions

What you can and can’t do with a file, as defined by your user or
group name, is pretty much wrapped up in 4 little letters. Each of
those letters in turn can be referenced by a number. They are r, w, x, and s. Their numerical representations are 4, 2, 1, and “it depends”. To understand all that, we need to do a little binary math.
Reading from right to left, think of the x as being in position 0.
The w, then, is in position 1 and the r is in position 2. Here’s the
way it works.

2 to the power of 0 equals 1 (x is 1)
2 to the power of 1 equals 2 (w is 2)
2 to the power of 2 equals 4 (r is 4)

In order to specify
multiple permissions, you can then just add the numbers together. If
you want to specify both read and execute permissions, simply add 4 and 1
and you get 5. For all permissions (rwx), use 7.
File permissions are referenced in groups of three “rwx” sections.
The “r” stands for “read”, the “w” means “write”, and the “x” denotes
that the file is executable.
While these permissions are arranged in three groups of three “rwx”
combinations, their meaning is the same in all cases. The difference
has to do with who they represent rather than the permissions
themselves. The first of these three represents the user; the second
trio stands for the group permissions, while the third represents
everybody that doesn’t fit into either of the first two categories.
The commands you will use for changing these basic permissions are chmod, chown, and chgrp.

chmod (CHange the MODe of a file, aka its permissions)
chown (CHange the OWNer of the file or directory)
chgrp (CHange the GRouP of the file or directory)

User and Group Ownership

To change the ownership of file “mail_test” from “root” to “natika”,
you would first have to log in as root since only root can change root’s
ownership of a file. This is very simple .

chown natika mail_test

You can also use the “-R”
option to change ownership recursively. We’ll use a directory called
“test_directory” as an example. Once again, it belongs to root and we
want to make every file in that directory (and below) owned by natika.

chown –R natika test_directory

The
format for changing group ownership is just as easy. Let’s change the
group ownership of test_directory (previously owned by root) so that it
and all its files and subdirectories belong to group “accounts”.

chgrp –R accounts test_directory

You can
even combine the two. In the following example, I change the ownership
of the entire finance_data directory to natika as the owner and
accounts as the group. To do that you use this form of the “chown”
command.

chown –R natika.accounts finance_data

You can use the “-R” flag to recursively change everything in a subdirectory with “chgrp” and “chmod” as well.
So, now files (and directories) are owned by some user and some group. This brings us to the next question.

Who can do what?

From time to time, you will need to modify file permissions. One
reason has to do with security. The most common reason, however, is to
make a shell script file executable. This is done with the chmod command.

chmod mode filename

For instance, if we had a script file called list_users, we would make it executable with the command:

chmod +x list_users

That will allow
execute permissions for all users. If you wanted to make the file
executable for the owner and group only, you would specify it on the
command line like this.

chmod u+x,g+x list_users

The “u” means user (the owner of the file, really) while “g”
stands for group. The reason we use “u” for the owner instead of “o”
is that the “o” is being used for other, meaning everyone else. The “chmod +x list_users” command could then be expressed as “chmod u+x,g+x,o+x list_users”.
Unfortunately, this starts to get a bit cumbersome. Now, let’s take a
much more complicated set of permissions. Imagine that we want our
“list_users” script to have read, write, and execute permissions for the
owner, read and execute for the group, and read only for anybody else.
The long way is to do this.

chmod u=rwx,g=rx,o=r list_users

Notice
the equal sign (=) construct rather than the plus sign (+). That’s
because the plus sign adds permissions and in this case, I wanted them
to be absolute. If the original permissions of the file allowed write
access for “other”, the plus sign construct would not have removed the
execute permission. Using the minus sign (-) removes permissions. If
we wanted to take away execute permissions entirely from a file, we
could do something like this.

chmod –x list_users

One way to simplify
the chmod command is to remember that “r” is 4, “w” is 2, and “x” is 1
and adding up the numbers in each of the three positions. “rwx” would
then be “4 + 2 + 1” or 7. “r-x” would translate to “4+1” and “x” would
simply be one. That monster from our second last example could then be
rewritten like this.

chmod 751 list_users

Who was that masked user?

Every time you create a file, you are submitted to a default set of
permissions. Go ahead. Create a blank file using the touch command. I
am going to call my blank file “fish”.

$ touch fish

Now, have a look at its permissions by doing and “ls –l”.

$ ls -l
total 0
-rw-rw-r-- 1 mgagne mgagne 0 Nov 5 11:57 fish

Without
doing anything whatsoever, your file has read and write permissions for
both the user and group, and read permission for everybody else. This
happens because you have a default file creation mask of “002”. You can discover this using the “umask” command.

$ umask
002

The 2 is subtracted from the possible set of permissions,
rwx (or 7). 7 – 0 remains 7 while 7 – 2 is 5. But wait! 5 stands for
“r-x” or read and execute. How is it that the file only shows a read
bit set? That’s because newly created files are not set executable. At
best, they provide read and write permissions for everyone. Another
way to display this information is by using the “-S’ flag. Instead of the numeric output, you’ll get a symbolic mask displayed.

$ umask -S
u=rwx,g=rwx,o=rx

If you have an application that requires you to
provide a default set of permissions for all the files you create, then
change the “umask” to reflect that inside your scripts. As an example,
let’s pretend that your program or script created text files that you
wanted everyone to be able to read (444). Since the execute bit won’t
be a factor anyway, if you mask out the write bit using a 2 all around,
then everybody will have read permission. We’ll set our umask to 222,
create another file (called “duck” this time), then do an “ls –l” to
check things out.

And
once again, it's time to wrap it up. Look for part 6 of this series
coming your way on Thursday. Leave any comments you may have here on Google Plus or over here on Facebook. Remember that you can also follow the action on CookingWithLinux.com where it's all Linux, all the time. Except for the occasional wine review. Also, make sure you sign up for the mailing list over here so that you're always on top of what you want to be on top of. So to speak. And this is where I leave you, until next time.